Issue 98603007: Launches a privileged utility process.

Issue 98603007: Launches a privileged utility process. (Closed)

Created:
7 years ago by Drew Haven

Modified:
6 years, 10 months ago

Reviewers:
jvoung (off chromium), cpu_(ooo_6.6-7.5), jam, Jorge Lucangeli Obes, Nico, mef

CC:
chromium-reviews, joi+watch-content_chromium.org, darin-cc_chromium.org, erikwright+watch_chromium.org, jam, stephenlin1, rsesek+watch_chromium.org

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Visibility:
Public.

More Reviews

Description

Creates a way to launch the utility process with elevated privileges on Windows systems for the rare operations that require administrator access. IPCs to the utility process will be filtered when it is running elevated. BUG=331881 Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=250409

Patch Set 1 #

Patch Set 2 : Actually works now. Removes unnecessary logging. #

Total comments: 3

Patch Set 3 : Moves elevation logic to a completely separate logic path. #

Patch Set 4 : Removes some unnecessary changes, adds some documentation. #

Patch Set 5 : Adds missing child_process_launcher files. #

Total comments: 18

Patch Set 6 : A bit of cleanup. #

Patch Set 7 : Added message filtering. #

Patch Set 8 : Mostly test cleanup. #

Total comments: 45

Patch Set 9 : Cleans up edge cases and error handling. Fixes nits. #

Total comments: 4

Patch Set 10 : Adds launch failure notification chains. #

Patch Set 11 : Cleans up formatting and removes some unnecessary functions. Adds an additional non-elevated white… #

Total comments: 6

Patch Set 12 : Cleans up ChildProcessLauncher implementations. #

Total comments: 18

Patch Set 13 : Resolves review feedback. #

Total comments: 6

Patch Set 14 : Removes unnecessary casts, extra tests and cleans up launch.cc #

Total comments: 5

Patch Set 15 : Moves whitelist to a new file, adds new OWNERS reviewers for that file. Also fixes ordering of met… #

Total comments: 14

Patch Set 16 : Adds OWNERS file and fixes nits. #

Patch Set 17 : Resync #

Patch Set 18 : Updates calls to BrowserChildProcessHost::Launch from NaCl code. #

Patch Set 19 : Makes content switches available in ChromeContentUtilityClient to non-windows builds. #

Patch Set 20 : Adds the elevation flag to the utility process. #

Created: 6 years, 10 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+224 lines, -17 lines)			Patch
M	base/process/launch.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+10 lines, -0 lines	0 comments	Download
M	base/process/launch_win.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	2 chunks	+36 lines, -0 lines	0 comments	Download
M	chrome/chrome.gyp	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19	1 chunk	+2 lines, -0 lines	0 comments	Download
M	chrome/service/service_utility_process_host.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+1 line, -0 lines	0 comments	Download
M	chrome/service/service_utility_process_host.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+4 lines, -0 lines	0 comments	Download
A	chrome/utility/OWNERS	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15	1 chunk	+13 lines, -0 lines	0 comments	Download
M	chrome/utility/chrome_content_utility_client.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+5 lines, -0 lines	0 comments	Download
M	chrome/utility/chrome_content_utility_client.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18	5 chunks	+16 lines, -2 lines	0 comments	Download
A	chrome/utility/chrome_content_utility_ipc_whitelist.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14	1 chunk	+21 lines, -0 lines	0 comments	Download
A	chrome/utility/chrome_content_utility_ipc_whitelist.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14	1 chunk	+12 lines, -0 lines	0 comments	Download
M	components/nacl/browser/nacl_broker_host_win.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17	1 chunk	+3 lines, -1 line	0 comments	Download
M	components/nacl/browser/nacl_process_host.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17	1 chunk	+1 line, -0 lines	0 comments	Download
M	content/browser/browser_child_process_host_impl.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	3 chunks	+9 lines, -10 lines	0 comments	Download
M	content/browser/browser_child_process_host_impl.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	3 chunks	+7 lines, -0 lines	0 comments	Download
M	content/browser/child_process_launcher.h	View	1 2 3 4 5 6 7 8 9 10 11	2 chunks	+3 lines, -0 lines	0 comments	Download
M	content/browser/child_process_launcher.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	7 chunks	+19 lines, -3 lines	0 comments	Download
M	content/browser/gpu/gpu_process_host.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+1 line, -0 lines	0 comments	Download
M	content/browser/plugin_process_host.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+1 line, -0 lines	0 comments	Download
M	content/browser/ppapi_plugin_process_host.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+1 line, -0 lines	0 comments	Download
M	content/browser/renderer_host/render_process_host_impl.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+1 line, -0 lines	0 comments	Download
M	content/browser/utility_process_host_impl.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	3 chunks	+9 lines, -0 lines	0 comments	Download
M	content/browser/utility_process_host_impl.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19	5 chunks	+24 lines, -0 lines	0 comments	Download
M	content/browser/worker_host/worker_process_host.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19	1 chunk	+1 line, -0 lines	0 comments	Download
M	content/common/child_process_host_impl.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+3 lines, -1 line	0 comments	Download
M	content/public/browser/browser_child_process_host.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+1 line, -0 lines	0 comments	Download
M	content/public/browser/browser_child_process_host_delegate.h	View	1 2 3 4 5 6 7 8 9	1 chunk	+4 lines, -0 lines	0 comments	Download
M	content/public/browser/utility_process_host.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+5 lines, -0 lines	0 comments	Download
M	content/public/browser/utility_process_host_client.h	View	1 2 3 4 5 6 7 8 9	1 chunk	+3 lines, -0 lines	0 comments	Download
M	content/public/common/child_process_host_delegate.h	View	1 2 3 4 5 6 7 8 9 10 11 12	2 chunks	+5 lines, -0 lines	0 comments	Download
M	content/public/common/content_switches.h	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+1 line, -0 lines	0 comments	Download
M	content/public/common/content_switches.cc	View	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	1 chunk	+2 lines, -0 lines	0 comments	Download

Messages

Total messages: 38 (0 generated)

Expand Messages | Collapse Messages

mef

Looks pretty good! https://codereview.chromium.org/98603007/diff/20001/base/process/launch_win.cc File base/process/launch_win.cc (right): https://codereview.chromium.org/98603007/diff/20001/base/process/launch_win.cc#newcode148 base/process/launch_win.cc:148: shex_info.hwnd = NULL; We may have ...

7 years ago (2013-12-10 15:25:18 UTC) #1

mef

Hi Drew, I'm just curious about your plans in regards to this CL. I'm very ...

7 years ago (2013-12-18 21:02:10 UTC) #2

Drew Haven

My plan right now is that I'm finishing up some ChromeOS and platform-agnostic stuff for ...

7 years ago (2013-12-18 21:38:40 UTC) #3

My plan right now is that I'm finishing up some ChromeOS and
platform-agnostic stuff for the recovery tool, but now that the branch is
done I'll come back to this after the break.

What I want to do is clean this up and make it into more of a real CL and
not just a proof-of-concept since there aren't any major objections from
the people I've talked to so far.  Then I'll start formal review and we can
try to get it in first thing next year.


On Wed, Dec 18, 2013 at 1:02 PM, <mef@chromium.org> wrote:

> Hi Drew,
>
> I'm just curious about your plans in regards to this CL. I'm very
> interested in
> seeing it landed. :-)
>
> thanks,
> -m
>
>
> https://codereview.chromium.org/98603007/diff/80001/base/process/launch.h
> File base/process/launch.h (right):
>
> https://codereview.chromium.org/98603007/diff/80001/base/
> process/launch.h#newcode222
> base/process/launch.h:222: // and thus some common operations liie
> OpenProcess will fail. The process will
> nit: like
>
> https://codereview.chromium.org/98603007/diff/80001/base/
> process/launch_win.cc
> File base/process/launch_win.cc (right):
>
> https://codereview.chromium.org/98603007/diff/80001/base/
> process/launch_win.cc#newcode309
> base/process/launch_win.cc:309: if (process_handle)
> don't you need to close it otherwise?
>
> https://codereview.chromium.org/98603007/diff/80001/
> content/browser/child_process_launcher_elevated.cc
> File content/browser/child_process_launcher_elevated.cc (right):
>
> https://codereview.chromium.org/98603007/diff/80001/
> content/browser/child_process_launcher_elevated.cc#newcode40
> content/browser/child_process_launcher_elevated.cc:40:
> terminate_child_on_shutdown_ = true;
> nit: tabbing
>
> https://codereview.chromium.org/98603007/diff/80001/
> content/browser/child_process_launcher_elevated.cc#newcode137
> content/browser/child_process_launcher_elevated.cc:137:
> client_->OnProcessLaunched();
> But if !handle, then process is NOT launched?
>
> https://codereview.chromium.org/98603007/diff/80001/
> content/browser/child_process_launcher_elevated.cc#newcode171
> content/browser/child_process_launcher_elevated.cc:171:
> process.Terminate(RESULT_CODE_NORMAL_EXIT);
> This will probably fail for elevated process, wouldn't it?
>
> https://codereview.chromium.org/98603007/diff/80001/
> content/browser/child_process_launcher_elevated.cc#newcode172
> content/browser/child_process_launcher_elevated.cc:172: // On POSIX, we
> must additionally reap the child.
> Not sure what to do about POSIX stuff, given that this is
> windows-specific?
>
> https://codereview.chromium.org/98603007/diff/80001/
> content/browser/child_process_launcher_elevated.h
> File content/browser/child_process_launcher_elevated.h (right):
>
> https://codereview.chromium.org/98603007/diff/80001/
> content/browser/child_process_launcher_elevated.h#newcode1
> content/browser/child_process_launcher_elevated.h:1: // Copyright (c)
> 2012 The Chromium Authors. All rights reserved.
> nit: 2013
>
> https://codereview.chromium.org/98603007/diff/80001/
> content/browser/child_process_launcher_elevated.h#newcode10
> content/browser/child_process_launcher_elevated.h:10: #include
> "base/process/kill.h"
> is kill.h needed?
>
> https://codereview.chromium.org/98603007/diff/80001/
> content/browser/child_process_launcher_elevated.h#newcode34
> content/browser/child_process_launcher_elevated.h:34: int* exit_code)
> OVERRIDE;
> nit: tab
>
> https://codereview.chromium.org/98603007/diff/80001/
> content/browser/utility_process_host_impl.h
> File content/browser/utility_process_host_impl.h (right):
>
> https://codereview.chromium.org/98603007/diff/80001/
> content/browser/utility_process_host_impl.h#newcode79
> content/browser/utility_process_host_impl.h:79: // Whether to launche
> the process with elevated permissions.
> nit: launche
>
> https://codereview.chromium.org/98603007/
>

To unsubscribe from this group and stop receiving emails from it, send an email
to chromium-reviews+unsubscribe@chromium.org.

Drew Haven

Alright, I addressed some comments and did some clean up. I also integrated the message ...

6 years, 11 months ago (2014-01-09 01:15:13 UTC) #4

mef

https://codereview.chromium.org/98603007/diff/140001/base/process/launch.h File base/process/launch.h (right): https://codereview.chromium.org/98603007/diff/140001/base/process/launch.h#newcode224 base/process/launch.h:224: // option that is supported from LaunchOptions is start_hidden. ...

6 years, 11 months ago (2014-01-10 18:22:54 UTC) #5

Drew Haven

There are still a few things I need to work on around UAC cancelling and ...

6 years, 11 months ago (2014-01-16 02:52:04 UTC) #6

mef

Drew, thanks! I am very excited to see it coming together. Did you actually upload ...

6 years, 11 months ago (2014-01-16 16:22:31 UTC) #7

Drew, thanks! I am very excited to see it coming together. 
Did you actually upload the new patch? 
The last one I see is patch #8, which is a week old.

https://codereview.chromium.org/98603007/diff/140001/content/browser/child_pr...
File content/browser/child_process_launcher_elevated_win.cc (right):

https://codereview.chromium.org/98603007/diff/140001/content/browser/child_pr...
content/browser/child_process_launcher_elevated_win.cc:76: base::TimeDelta
launch_time = base::TimeTicks::Now() - begin_launch_time;
On 2014/01/16 02:52:05, Drew Haven wrote:
> On 2014/01/10 18:22:55, mef wrote:
> > Does this include the time of user sitting on UAC prompt?
> 
> Yes it will.  That might mess up our statistics?  Think we should just remove
it
> or give it its own histogram?
Good question. I think it is pretty useless, given that it includes random user
interaction time. :-(

https://codereview.chromium.org/98603007/diff/140001/content/browser/child_pr...
content/browser/child_process_launcher_elevated_win.cc:115:
RecordHistograms(begin_launch_time);
On 2014/01/16 02:52:05, Drew Haven wrote:
> On 2014/01/10 18:22:55, mef wrote:
> > Would we want to histogram failures as well?
> 
> In this case I'm duplicating what the non-elevated code has historically done.

> It's probably a lot more relevant in our case because the user could cancel or
> not have the proper permissions.
Good point, especially if we can get meaningful failure code.

https://codereview.chromium.org/98603007/diff/140001/content/common/utility_m...
File content/common/utility_messages.h (right):

https://codereview.chromium.org/98603007/diff/140001/content/common/utility_m...
content/common/utility_messages.h:58: // TODO(haven): Debugging only.  Remove
before submission.
On 2014/01/16 02:52:05, Drew Haven wrote:
> On 2014/01/10 18:22:55, mef wrote:
> > Is this correct comment? 
> > It seems to report whether utility process is actually elevated.
> 
> I had originally thought it would be moved to the test file, but I need to
leave
> it in if I want to run the test in content.  Also, I don't think it hurts
> anything.
I agree.

Drew Haven

Oops, I did forget to finish the upload. It's up now. On 2014/01/16 16:22:31, mef ...

6 years, 11 months ago (2014-01-16 20:13:44 UTC) #8

Oops, I did forget to finish the upload.  It's up now.

On 2014/01/16 16:22:31, mef wrote:
> Drew, thanks! I am very excited to see it coming together. 
> Did you actually upload the new patch? 
> The last one I see is patch #8, which is a week old.
> 
>
https://codereview.chromium.org/98603007/diff/140001/content/browser/child_pr...
> File content/browser/child_process_launcher_elevated_win.cc (right):
> 
>
https://codereview.chromium.org/98603007/diff/140001/content/browser/child_pr...
> content/browser/child_process_launcher_elevated_win.cc:76: base::TimeDelta
> launch_time = base::TimeTicks::Now() - begin_launch_time;
> On 2014/01/16 02:52:05, Drew Haven wrote:
> > On 2014/01/10 18:22:55, mef wrote:
> > > Does this include the time of user sitting on UAC prompt?
> > 
> > Yes it will.  That might mess up our statistics?  Think we should just
remove
> it
> > or give it its own histogram?
> Good question. I think it is pretty useless, given that it includes random
user
> interaction time. :-(
> 
>
https://codereview.chromium.org/98603007/diff/140001/content/browser/child_pr...
> content/browser/child_process_launcher_elevated_win.cc:115:
> RecordHistograms(begin_launch_time);
> On 2014/01/16 02:52:05, Drew Haven wrote:
> > On 2014/01/10 18:22:55, mef wrote:
> > > Would we want to histogram failures as well?
> > 
> > In this case I'm duplicating what the non-elevated code has historically
done.
> 
> > It's probably a lot more relevant in our case because the user could cancel
or
> > not have the proper permissions.
> Good point, especially if we can get meaningful failure code.
> 
>
https://codereview.chromium.org/98603007/diff/140001/content/common/utility_m...
> File content/common/utility_messages.h (right):
> 
>
https://codereview.chromium.org/98603007/diff/140001/content/common/utility_m...
> content/common/utility_messages.h:58: // TODO(haven): Debugging only.  Remove
> before submission.
> On 2014/01/16 02:52:05, Drew Haven wrote:
> > On 2014/01/10 18:22:55, mef wrote:
> > > Is this correct comment? 
> > > It seems to report whether utility process is actually elevated.
> > 
> > I had originally thought it would be moved to the test file, but I need to
> leave
> > it in if I want to run the test in content.  Also, I don't think it hurts
> > anything.
> I agree.

mef

Looks pretty good to me. I can't wait to try it out. https://codereview.chromium.org/98603007/diff/300001/content/browser/child_process_launcher.h File content/browser/child_process_launcher.h ...

6 years, 11 months ago (2014-01-17 16:57:06 UTC) #9

Drew Haven

Alright, things are starting to look good. I'm going to start looping in some security ...

6 years, 11 months ago (2014-01-22 23:14:24 UTC) #10

mef

On 2014/01/22 23:14:24, Drew Haven wrote: > Alright, things are starting to look good. I'm ...

6 years, 11 months ago (2014-01-23 16:08:45 UTC) #11

jam

some initial comments based on a quick look https://codereview.chromium.org/98603007/diff/600001/chrome/service/service_utility_process_host.cc File chrome/service/service_utility_process_host.cc (right): https://codereview.chromium.org/98603007/diff/600001/chrome/service/service_utility_process_host.cc#newcode210 chrome/service/service_utility_process_host.cc:210: return ...

6 years, 11 months ago (2014-01-24 22:14:02 UTC) #12

Drew Haven

https://codereview.chromium.org/98603007/diff/600001/chrome/service/service_utility_process_host.cc File chrome/service/service_utility_process_host.cc (right): https://codereview.chromium.org/98603007/diff/600001/chrome/service/service_utility_process_host.cc#newcode210 chrome/service/service_utility_process_host.cc:210: return handle_; On 2014/01/24 22:14:03, jam wrote: > I ...

6 years, 11 months ago (2014-01-27 21:43:51 UTC) #13

https://codereview.chromium.org/98603007/diff/600001/chrome/service/service_u...
File chrome/service/service_utility_process_host.cc (right):

https://codereview.chromium.org/98603007/diff/600001/chrome/service/service_u...
chrome/service/service_utility_process_host.cc:210: return handle_;
On 2014/01/24 22:14:03, jam wrote:
> I see where you call this, but it's not clear to me why this is needed?

It's because when I ran the elevated process I found that
OpenPrivilegedProcessHandle was failing.  We already have a handle, but not the
PID from ShellExecuteEx.  I couldn't find a way to get the process ID associated
with a handle without doing some complicated code execution in the context of
the other process.  As such, I just put in a way to directly get the handle we
already had instead of going back through the process ID.

I'm just going on what I could find through MSDN documentation and searches
though.  I could be wrong.

https://codereview.chromium.org/98603007/diff/600001/content/browser/child_pr...
File content/browser/child_process_launcher_impl.h (right):

https://codereview.chromium.org/98603007/diff/600001/content/browser/child_pr...
content/browser/child_process_launcher_impl.h:21: class CONTENT_EXPORT
ChildProcessLauncherImpl : public ChildProcessLauncher {
On 2014/01/24 22:14:03, jam wrote:
> why are you adding an interface around ChildProcessLauncher to support
elevated
> instead of adding an extra flag? we have supported different security
mechanisms
> like disabling sandbox or allowing a directory through that way.

When I started writing this I only added the LaunchElevated function for
Windows.  It might not be necessary or possible to do cleanly on some other
platforms and I didn't want to affect that code.  Perhaps I should add an error
for those platforms?  What I ended up with was a mess of #if defined(OS_WIN). 
In order to simply things, largely just so I could understand it, I duplicated
the ChildProcessLauncher code and started pulling out the stuff that was
irrelevant or unnecessary.  The implementation may not have ended up that
different, so perhaps I should attempt to merge them back together.  If we do
that I'd like to add implementations for the function to other OSes, but I think
at least for a long time those would be errors because we really only need this
in Windows (so far) for a few specific functions.

I tried to stick with the flag-based approach above this level.

jam

6 years, 11 months ago (2014-01-27 21:55:44 UTC) #14

https://codereview.chromium.org/98603007/diff/600001/chrome/service/service_u...
File chrome/service/service_utility_process_host.cc (right):

https://codereview.chromium.org/98603007/diff/600001/chrome/service/service_u...
chrome/service/service_utility_process_host.cc:210: return handle_;
On 2014/01/27 21:43:51, Drew Haven wrote:
> On 2014/01/24 22:14:03, jam wrote:
> > I see where you call this, but it's not clear to me why this is needed?
> 
> It's because when I ran the elevated process I found that
> OpenPrivilegedProcessHandle was failing.  We already have a handle, but not
the
> PID from ShellExecuteEx.  I couldn't find a way to get the process ID
associated
> with a handle without doing some complicated code execution in the context of
> the other process.  As such, I just put in a way to directly get the handle we
> already had instead of going back through the process ID.
> 
> I'm just going on what I could find through MSDN documentation and searches
> though.  I could be wrong.

I may be missing something. you say you already have a handle but not the pid.
do you mean the reverse? the caller is ChildProcessHostImpl::OnChannelConnected
which has a peer_pid.

https://codereview.chromium.org/98603007/diff/600001/content/browser/child_pr...
File content/browser/child_process_launcher_impl.h (right):

https://codereview.chromium.org/98603007/diff/600001/content/browser/child_pr...
content/browser/child_process_launcher_impl.h:21: class CONTENT_EXPORT
ChildProcessLauncherImpl : public ChildProcessLauncher {
On 2014/01/27 21:43:51, Drew Haven wrote:
> On 2014/01/24 22:14:03, jam wrote:
> > why are you adding an interface around ChildProcessLauncher to support
> elevated
> > instead of adding an extra flag? we have supported different security
> mechanisms
> > like disabling sandbox or allowing a directory through that way.
> 
> When I started writing this I only added the LaunchElevated function for
> Windows.  It might not be necessary or possible to do cleanly on some other
> platforms and I didn't want to affect that code.  Perhaps I should add an
error
> for those platforms?  What I ended up with was a mess of #if defined(OS_WIN). 
> In order to simply things, largely just so I could understand it, I duplicated
> the ChildProcessLauncher code and started pulling out the stuff that was
> irrelevant or unnecessary.  The implementation may not have ended up that
> different, so perhaps I should attempt to merge them back together.  If we do
> that I'd like to add implementations for the function to other OSes, but I
think
> at least for a long time those would be errors because we really only need
this
> in Windows (so far) for a few specific functions.
> 
> I tried to stick with the flag-based approach above this level.

Yeah, please use one implementation. child_process_launcher.cc is hard to read
because of all the ifdefs. It's time to make the arguments be in a struct, which
will make things cleaner as it gets passed around to methods and across threads.

Drew Haven

On 2014/01/27 21:55:44, jam wrote: > https://codereview.chromium.org/98603007/diff/600001/chrome/service/service_utility_process_host.cc > File chrome/service/service_utility_process_host.cc (right): > > https://codereview.chromium.org/98603007/diff/600001/chrome/service/service_utility_process_host.cc#newcode210 > ...

6 years, 10 months ago (2014-01-29 01:07:48 UTC) #15

On 2014/01/27 21:55:44, jam wrote:
>
https://codereview.chromium.org/98603007/diff/600001/chrome/service/service_u...
> File chrome/service/service_utility_process_host.cc (right):
> 
>
https://codereview.chromium.org/98603007/diff/600001/chrome/service/service_u...
> chrome/service/service_utility_process_host.cc:210: return handle_;
> On 2014/01/27 21:43:51, Drew Haven wrote:
> > On 2014/01/24 22:14:03, jam wrote:
> > > I see where you call this, but it's not clear to me why this is needed?
> > 
> > It's because when I ran the elevated process I found that
> > OpenPrivilegedProcessHandle was failing.  We already have a handle, but not
> the
> > PID from ShellExecuteEx.  I couldn't find a way to get the process ID
> associated
> > with a handle without doing some complicated code execution in the context
of
> > the other process.  As such, I just put in a way to directly get the handle
we
> > already had instead of going back through the process ID.
> > 
> > I'm just going on what I could find through MSDN documentation and searches
> > though.  I could be wrong.
> 
> I may be missing something. you say you already have a handle but not the pid.
> do you mean the reverse? the caller is
ChildProcessHostImpl::OnChannelConnected
> which has a peer_pid.

I looked at it again you're right and I was confused.  What it is is that
base::OpenPrivilegedProcessHandle fails to open a handle on the privileged
process.  However, we can get the handle directly from ShellExecuteEx and we
already have it.  I figured instead of informing the ChildProcessHost that the
process is running elevated and switching on that we can just reuse the handle
if we already have one.

PROCESS_QUERY_INFORMATION, PROCESS_VM_READ and PROCESS_DUP_HANDLE all appear to
be restricted when opening a handle to this PID.

> 
>
https://codereview.chromium.org/98603007/diff/600001/content/browser/child_pr...
> File content/browser/child_process_launcher_impl.h (right):
> 
>
https://codereview.chromium.org/98603007/diff/600001/content/browser/child_pr...
> content/browser/child_process_launcher_impl.h:21: class CONTENT_EXPORT
> ChildProcessLauncherImpl : public ChildProcessLauncher {
> On 2014/01/27 21:43:51, Drew Haven wrote:
> > On 2014/01/24 22:14:03, jam wrote:
> > > why are you adding an interface around ChildProcessLauncher to support
> > elevated
> > > instead of adding an extra flag? we have supported different security
> > mechanisms
> > > like disabling sandbox or allowing a directory through that way.
> > 
> > When I started writing this I only added the LaunchElevated function for
> > Windows.  It might not be necessary or possible to do cleanly on some other
> > platforms and I didn't want to affect that code.  Perhaps I should add an
> error
> > for those platforms?  What I ended up with was a mess of #if
defined(OS_WIN). 
> > In order to simply things, largely just so I could understand it, I
duplicated
> > the ChildProcessLauncher code and started pulling out the stuff that was
> > irrelevant or unnecessary.  The implementation may not have ended up that
> > different, so perhaps I should attempt to merge them back together.  If we
do
> > that I'd like to add implementations for the function to other OSes, but I
> think
> > at least for a long time those would be errors because we really only need
> this
> > in Windows (so far) for a few specific functions.
> > 
> > I tried to stick with the flag-based approach above this level.
> 
> Yeah, please use one implementation. child_process_launcher.cc is hard to read
> because of all the ifdefs. It's time to make the arguments be in a struct,
which
> will make things cleaner as it gets passed around to methods and across
threads.

Alright, I merged the implementations, which wasn't nearly as bad as I expected.
 Do you want me to do the struct-args in this CL, or should we do it in a
follow-up CL?  For the moment I left the arguments expanded.

jam

apologies for the delay, I just saw this. in the future please feel free to ...

6 years, 10 months ago (2014-01-30 21:41:02 UTC) #16

Drew Haven

Alright, I think I got all the sync issues fixed and resolved feedback. One or ...

6 years, 10 months ago (2014-01-31 20:00:11 UTC) #17

Alright, I think I got all the sync issues fixed and resolved feedback.  One or
two outstanding comments though, such as whether to remove the test around the
whitelist filtering.  Jorge still wants to get a good look at that Monday
anyway.

And thanks for reviewing.  Don't worry about the delay, as long as I can still
make M34. :)

https://codereview.chromium.org/98603007/diff/760001/chrome/utility/chrome_co...
File chrome/utility/chrome_content_utility_client.h (right):

https://codereview.chromium.org/98603007/diff/760001/chrome/utility/chrome_co...
chrome/utility/chrome_content_utility_client.h:45: void
AddHandler(UtilityMessageHandler* handler);
On 2014/01/30 21:41:03, jam wrote:
> hmm, these two methods are only added for a unittest. given how simple the
> functionality is that we're testing, are you sure we need to test this?

Since this has security implications, I feel like we'd like to have tests.  For
the other test with the UAC I'll remove it, but I'd like to leave this one. 
Perhaps I should change the functions to make the names more test-oriented or
reduce the access (e.g. protected).

https://codereview.chromium.org/98603007/diff/760001/content/browser/browser_...
File content/browser/browser_child_process_host_impl.cc (right):

https://codereview.chromium.org/98603007/diff/760001/content/browser/browser_...
content/browser/browser_child_process_host_impl.cc:319:
delegate_->OnProcessLaunchFailed();
On 2014/01/30 21:41:03, jam wrote:
> nit: two space indent

Done.

https://codereview.chromium.org/98603007/diff/760001/content/browser/browser_...
File content/browser/browser_child_process_host_impl.h (right):

https://codereview.chromium.org/98603007/diff/760001/content/browser/browser_...
content/browser/browser_child_process_host_impl.h:64: virtual
base::ProcessHandle GetHandle() const;
On 2014/01/30 21:41:03, jam wrote:
> since this is part of ChildProcessHostDelegate, drop the comment and move to
> line 100 and add an OVERRIDE

Done.

https://codereview.chromium.org/98603007/diff/760001/content/browser/child_pr...
File content/browser/child_process_launcher.cc (right):

https://codereview.chromium.org/98603007/diff/760001/content/browser/child_pr...
content/browser/child_process_launcher.cc:114: 
On 2014/01/30 21:41:03, jam wrote:
> nit: drop the empty line

Done.

https://codereview.chromium.org/98603007/diff/760001/content/browser/child_pr...
content/browser/child_process_launcher.cc:220: base::StatsTable* stats_table =
base::StatsTable::current();
On 2014/01/30 21:41:03, jam wrote:
> this, and some of the other changes in this file are not from your change and
> are from changes that are already landed. can you update your checkout so that
> it shows diff from trunk instead of an earlier revision?

Done.

https://codereview.chromium.org/98603007/diff/760001/content/browser/utility_...
File content/browser/utility_process_host_impl_browsertest.cc (right):

https://codereview.chromium.org/98603007/diff/760001/content/browser/utility_...
content/browser/utility_process_host_impl_browsertest.cc:15: // requires
interaction in the form of a UAC prompt
On 2014/01/30 21:41:03, jam wrote:
> why are including it then?

It's just here because I wanted a quick way to test.  We don't actually have
anything that uses this new functionality yet, so I had to set something fake
up.  It's also just easy to develop when I can run smaller test binaries instead
of starting up a whole Chrome instance.

We can definitely remove this test, but it's very useful for me during
development.

https://codereview.chromium.org/98603007/diff/760001/content/common/utility_m...
File content/common/utility_messages.h (right):

https://codereview.chromium.org/98603007/diff/760001/content/common/utility_m...
content/common/utility_messages.h:30: // Checks whether the utility process is
running elevated.
On 2014/01/30 21:41:03, jam wrote:
> hmm, we shouldn't be putting testing IPCs here. especially since this test is
> disabled and you can't run it on bots because it needs a UAC prompt

Ah, in order to create the test I needed the utility process to respond to be
launched elevated and then confirm that that bi-directional communication was
working, so this is shared with the code that does the response and the test,
hence it's here and not in the test file.

I couldn't really think of an easier way to test it while developing.  In the
long run we can remove it.  I'd be more comfortable if there were a way to
automatically test it, but I can't see any.

https://codereview.chromium.org/98603007/diff/760001/content/public/common/ch...
File content/public/common/child_process_host_delegate.h (right):

https://codereview.chromium.org/98603007/diff/760001/content/public/common/ch...
content/public/common/child_process_host_delegate.h:31: virtual
base::ProcessHandle GetHandle() const = 0;
On 2014/01/30 21:41:03, jam wrote:
> nit: add documentation

Done.

jam

https://codereview.chromium.org/98603007/diff/760001/chrome/utility/chrome_content_utility_client.h File chrome/utility/chrome_content_utility_client.h (right): https://codereview.chromium.org/98603007/diff/760001/chrome/utility/chrome_content_utility_client.h#newcode45 chrome/utility/chrome_content_utility_client.h:45: void AddHandler(UtilityMessageHandler* handler); On 2014/01/31 20:00:12, Drew Haven wrote: ...

6 years, 10 months ago (2014-02-01 01:09:10 UTC) #18

https://codereview.chromium.org/98603007/diff/760001/chrome/utility/chrome_co...
File chrome/utility/chrome_content_utility_client.h (right):

https://codereview.chromium.org/98603007/diff/760001/chrome/utility/chrome_co...
chrome/utility/chrome_content_utility_client.h:45: void
AddHandler(UtilityMessageHandler* handler);
On 2014/01/31 20:00:12, Drew Haven wrote:
> On 2014/01/30 21:41:03, jam wrote:
> > hmm, these two methods are only added for a unittest. given how simple the
> > functionality is that we're testing, are you sure we need to test this?
> 
> Since this has security implications, I feel like we'd like to have tests. 
For
> the other test with the UAC I'll remove it, but I'd like to leave this one. 
> Perhaps I should change the functions to make the names more test-oriented or
> reduce the access (e.g. protected).

I understand the need to test. Perhaps there are other ways.

It seems that ChromeContentUtilityClientTest.MessageWhitelistAccept can be added
later when we actually have a whitelisted IPC. Then the test can use an existing
IPC used for production.

ChromeContentUtilityClientTest.MessageWhitelistReject doesn't need to add a
handler? i.e. it can check the return code of OnMessageReceived

ChromeContentUtilityClientTest.NoWhitelistUnelevated is checking that current
behavior of utility process works. It seems you can check the return code of
OnMessageReceived here as well. Also note that this is already tested through
other unittests which use the utility process code.

https://codereview.chromium.org/98603007/diff/840001/content/browser/ppapi_pl...
File content/browser/ppapi_plugin_process_host.cc (right):

https://codereview.chromium.org/98603007/diff/840001/content/browser/ppapi_pl...
content/browser/ppapi_plugin_process_host.cc:360:
static_cast<ChildProcessHostDelegate*>(process_.get())->GetHandle());
I just noticed this and the other places that case. It's probably cleaner to
just make BrowserChildProcessHostImpl's implementation of
ChildProcessHostDelegate be public, since it's legitimate to call one of these
methods and the casting is ugly

Jorge Lucangeli Obes

What will be needed in the future to whitelist a message? If it's a code ...

6 years, 10 months ago (2014-02-03 22:14:57 UTC) #19

Robert Sesek

(not adding myself as a reviewer, just observed this since I watch base/process) https://codereview.chromium.org/98603007/diff/840001/base/process/launch.h File ...

6 years, 10 months ago (2014-02-03 22:30:21 UTC) #20

Drew Haven

Alright, I removed those other tests that weren't really testing much and cleaned a few ...

6 years, 10 months ago (2014-02-04 21:25:54 UTC) #21

Alright, I removed those other tests that weren't really testing much and
cleaned a few minor things up.  That feature will be tested as we add more.

I'm not sure how to add a watch for an update to the whitelist.  There's no
owners file in that directory.  Do I add a per-file reviewer or is there another
OWNERS directive for what you want, jorge?

https://codereview.chromium.org/98603007/diff/760001/chrome/utility/chrome_co...
File chrome/utility/chrome_content_utility_client.h (right):

https://codereview.chromium.org/98603007/diff/760001/chrome/utility/chrome_co...
chrome/utility/chrome_content_utility_client.h:45: void
AddHandler(UtilityMessageHandler* handler);
On 2014/02/01 01:09:10, jam wrote:
> On 2014/01/31 20:00:12, Drew Haven wrote:
> > On 2014/01/30 21:41:03, jam wrote:
> > > hmm, these two methods are only added for a unittest. given how simple the
> > > functionality is that we're testing, are you sure we need to test this?
> > 
> > Since this has security implications, I feel like we'd like to have tests. 
> For
> > the other test with the UAC I'll remove it, but I'd like to leave this one. 
> > Perhaps I should change the functions to make the names more test-oriented
or
> > reduce the access (e.g. protected).
> 
> I understand the need to test. Perhaps there are other ways.
> 
> It seems that ChromeContentUtilityClientTest.MessageWhitelistAccept can be
added
> later when we actually have a whitelisted IPC. Then the test can use an
existing
> IPC used for production.
> 
> ChromeContentUtilityClientTest.MessageWhitelistReject doesn't need to add a
> handler? i.e. it can check the return code of OnMessageReceived
> 
> ChromeContentUtilityClientTest.NoWhitelistUnelevated is checking that current
> behavior of utility process works. It seems you can check the return code of
> OnMessageReceived here as well. Also note that this is already tested through
> other unittests which use the utility process code.

Okay, that generally sounds good.  Once we start adding new IPCs that should
only be run when elevated then we can test that they are properly whitelisted in
their tests and we don't really need these generic tests and extra methods.

I'll pull out all these tests.  In my next CL when I actually use this feature,
I'll test there.

https://codereview.chromium.org/98603007/diff/840001/base/process/launch.h
File base/process/launch.h (right):

https://codereview.chromium.org/98603007/diff/840001/base/process/launch.h#ne...
base/process/launch.h:225: BASE_EXPORT bool LaunchElevatedProcess(const
CommandLine& cmdline,
On 2014/02/03 22:30:22, rsesek wrote:
> There's already a OS_WIN specific Launch function above. Can you put it there
> (line 150) instead of just at the bottom of the file? Same in the .cc file.

Done.

https://codereview.chromium.org/98603007/diff/840001/content/browser/ppapi_pl...
File content/browser/ppapi_plugin_process_host.cc (right):

https://codereview.chromium.org/98603007/diff/840001/content/browser/ppapi_pl...
content/browser/ppapi_plugin_process_host.cc:360:
static_cast<ChildProcessHostDelegate*>(process_.get())->GetHandle());
On 2014/02/01 01:09:10, jam wrote:
> I just noticed this and the other places that case. It's probably cleaner to
> just make BrowserChildProcessHostImpl's implementation of
> ChildProcessHostDelegate be public, since it's legitimate to call one of these
> methods and the casting is ugly

Okay, I sort of thought the same thing.  But I didn't know which was the lesser
of the two evils.

https://codereview.chromium.org/98603007/diff/840001/content/browser/utility_...
File content/browser/utility_process_host_impl.h (right):

https://codereview.chromium.org/98603007/diff/840001/content/browser/utility_...
content/browser/utility_process_host_impl.h:80: // Whether to launch the process
with elevated permissions.
On 2014/02/03 22:14:59, Jorge Lucangeli Obes wrote:
> Nit: either change this to "privileges" or the above to "permissions".

Ah yes.  I'm trying to be consisted with "elevated privileges" and never
anything like "escalated permissions".  Good catch.

jam

lgtm https://codereview.chromium.org/98603007/diff/1030001/chrome/utility/chrome_content_utility_client.cc File chrome/utility/chrome_content_utility_client.cc (right): https://codereview.chromium.org/98603007/diff/1030001/chrome/utility/chrome_content_utility_client.cc#newcode73 chrome/utility/chrome_content_utility_client.cc:73: static const size_t kMessageWhitelistSize = arraysize(kMessageWhitelist); since you ...

6 years, 10 months ago (2014-02-04 23:29:06 UTC) #22

Jorge Lucangeli Obes

https://codereview.chromium.org/98603007/diff/1030001/chrome/utility/chrome_content_utility_client.cc File chrome/utility/chrome_content_utility_client.cc (right): https://codereview.chromium.org/98603007/diff/1030001/chrome/utility/chrome_content_utility_client.cc#newcode73 chrome/utility/chrome_content_utility_client.cc:73: static const size_t kMessageWhitelistSize = arraysize(kMessageWhitelist); On 2014/02/04 23:29:06, ...

6 years, 10 months ago (2014-02-05 00:15:55 UTC) #23

Drew Haven

I'm looking for someone to LGTM the changes to base/process. Otherwise things are looking good ...

6 years, 10 months ago (2014-02-05 02:36:30 UTC) #24

Nico

lgtm, but please expand the CL description so that someone who's not familiar with this ...

6 years, 10 months ago (2014-02-05 05:38:10 UTC) #25

mef

lgtm https://codereview.chromium.org/98603007/diff/1110001/base/process/launch.h File base/process/launch.h (right): https://codereview.chromium.org/98603007/diff/1110001/base/process/launch.h#newcode157 base/process/launch.h:157: BASE_EXPORT bool LaunchElevatedProcess(const CommandLine& cmdline, nit: Currently only ...

6 years, 10 months ago (2014-02-05 16:28:14 UTC) #26

Jorge Lucangeli Obes

not lgtm. did you forget to git add the OWNERS file? I don't see it ...

6 years, 10 months ago (2014-02-05 16:58:22 UTC) #27

Robert Sesek

https://codereview.chromium.org/98603007/diff/1110001/base/process/launch.h File base/process/launch.h (left): https://codereview.chromium.org/98603007/diff/1110001/base/process/launch.h#oldcode217 base/process/launch.h:217: nit: please restore/diff noise

6 years, 10 months ago (2014-02-05 17:11:49 UTC) #28

Drew Haven

Yep, I forgot to add the OWNERS file. jorgelo: can you double-check that OWNERS file? ...

6 years, 10 months ago (2014-02-05 20:13:20 UTC) #29

Drew Haven

Oops, uploaded a bad patchset. I'll replace it but it has a "std::string16" instead of ...

6 years, 10 months ago (2014-02-05 20:14:52 UTC) #30

Drew Haven

On 2014/02/05 20:14:52, Drew Haven wrote: > Oops, uploaded a bad patchset. I'll replace it ...

6 years, 10 months ago (2014-02-05 20:22:17 UTC) #31

Jorge Lucangeli Obes

On 2014/02/05 21:08:44, cpu wrote: > lgtm lgtm

6 years, 10 months ago (2014-02-05 23:14:49 UTC) #33

Drew Haven

jvoung, I added a flag to BrowserChildProcessHost::Launch on Windows to launch a process with elevated ...

6 years, 10 months ago (2014-02-08 19:29:53 UTC) #34

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/haven@chromium.org/98603007/1790001

6 years, 10 months ago (2014-02-11 08:27:28 UTC) #37

Message was sent while issue was closed.

Change committed as 250409

Expand Messages | Collapse Messages